Link to home
Create AccountLog in
VPN

VPN

--

Questions

--

Followers

Top Experts

Avatar of ralebo
ralebo🇺🇸

How do I add a new subnet to an existing VPN policy in a SonicWall TZ-400
I am attempting to add a secondary subnet to an existing VPN policy on the same site to site VPN.

The subnets are 10.2.200.0 and 10.100.128.0

The 10.2.200.0 is existing and works.

I have done the following:

  • Added a network object for 10.100.128.0
  • Created an Address Group and added both subnets to it
  • Edited the current VPN Policy and replaced the single network object with the address group

The tunnel establishes, but on the first negotiation only the 10.100.128.0 network passes traffic. If you re-negotiate the tunnel the 10.2.200.0 works. Both subnets will not pass traffic at the same time.

I have also tried two separate VPN policies using the individual network objects with the same result.

-- Did a packet capture for the not working subnet, ECHO packets were forwarded from this side but the ECHO reply packets were dropped coming back, Drop Code 440, "Octeon Decryption Failed selector check" module id 20 "IPSEC"

-- Check with a relevant knowledge base article for the code error and as per that article,

-- Under VPN policy, Advanced, Checked "Disable IPSEC Anti Replay"

-- Checked for the error again in PCAP and it was still coming up as same and same traffic result

Any help is appreciated.

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of Philip ElderPhilip Elder🇨🇦

Set up the network object for the new network.
 * You need to make sure that your new subnet is included in Destinations for the IPSec VPN setting.
 ** VPN Policy --> Network --> Destination (Create a group and drop both subnet object in it then select it)

That should get things flowing between them once the SonicWALL updates the rules.
Avatar of raleboralebo🇺🇸

ASKER

Philip, I did create an address group and used that as the destination. Only one subnet works at a time.
Avatar of Philip ElderPhilip Elder🇨🇦

Both subnets are at the one site?
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of raleboralebo🇺🇸

ASKER

Both subnets are at the remote site.
Avatar of Philip ElderPhilip Elder🇨🇦

Check both the Firewall and NAT rules sections to make sure that there are rules in place that will allow packets to move between sites and the new subnet.
ASKER CERTIFIED SOLUTION
Avatar of raleboralebo🇺🇸

ASKER

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of Chuck CatesChuck Cates🇺🇸

On the Sonicwall side, if you create a separate VPN policy for each subnet, can the same Peer Gateway IP for the remote site be used?  It gives a warning that it found a policy with the same Peer Gateway and Phase 1 proposal for the matching policy might be overwritten.  It could be just a warning but want to make sure it will not break the first VPN policy as well.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

VPN

VPN

--

Questions

--

Followers

Top Experts

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.